On 12 May 2017, more than a third of hospitals and hundreds of GP practices were disrupted in the global ransomware attack. Tens of thousands of operations, tests, and appointments were cancelled, ambulances diverted. There were reviews, inquiries, new regulations, hundreds of millions of pounds diverted to cyber security. Stern talk all around.

The chaos brought home the real consequences of cyber-crimes in a hitherto unknown way.

So has the NHS woken up?

Wide-eyed and twitchy

Cyber security does get more attention and money post-WannaCry.

Last year, 91 trusts were given a slice of £61m in central cyber funding, from £3.5m for Barts Health Trust to £10,000 for Dorset Health Care University Foundation Trust.

The Download has been told the money distributed came with few to no strings attached, so it will be difficult to measure whether it was put to good use. But some is better than none and there were some clear gaps (trauma centres) that needed patching.

All trusts have now had a cyber assessment (more on that later), so they at least know the size of the problem. Tougher regulations, including GDPR and a new data security toolkit, also theoretically make it harder for NHS organisations to turn a blind eye to cyber. As of May this year, all but one NHS organisation had designated someone with board level responsibility for data security.

All of the 200 organisations that received a cyber assessment post-WannaCry failed to meet cyber security standards. Some were assessed in the weeks after the attack, others more than six months later. But it is telling that not one organisation passed.

And while money is being spent to improve cyber security, it is unlikely to be enough to repair years of underinvestment in NHS IT infrastructure. An internal NHS Digital estimate found it would cost £1bn to bring the NHS up to a cyber “minimum bar” (investment committed is less than a quarter of that). The Department of Health and Social Care says trusts will still be expected to “develop plans” to reach this minimum bar, but it has not explained how they will pay for it.

While some plans for regulatory change have moved at pace, others have not.

The Care Quality Commission is meant to be incorporating data security, including unannounced “cyber inspection”, into its inspection regime by the end of the year. It piloted six cyber inspections with NHS Digital earlier this year but did not incorporate them into any final reports. The two agencies have now “agreed to start work on a methodology” of how that might happen, but it’s unlikely to be any time soon.

As of now, there is no clear programme for incentivising better cyber security or clear regulatory consequence for failing to improve. For local NHS leaders juggling many competing demands, this makes cyber difficult to prioritise.

A jolt in the night

But the threat has not gone away. If anything, it has grown.

Hard data on cyber attacks in the NHS is scant and is often withheld on national security grounds. However, senior officials have told The Download that malware and adware infections are commonplace in NHS organisations. Many will be relatively harmless, others could silently compromise the confidentiality and integrity of NHS data even if they do not cause widespread service disruption.

The sensitive patient records of millions of patients popping up on the web, or another WannaCry-style attack, could focus minds.

Heavy fines could also do the trick.

The EU-wide network and information systems directive was introduced alongside GDPR in May but received far less attention. It requires “essential services” to take reasonable steps to protect themselves from cyber attacks or hardware failures. The NHS is covered by the directive and, in theory, organisations can be fined up to £17m.

The likelihood of a trust receiving that sort of fine has been played down but papers that went to an internal NHS Digital board in June shows an NHS framework has already been drawn up.

Under it, fines vary from £25,000 for a one-off minor incident to £17m for multiple breaches that result in an “immediate threat to life or significant adverse impact on the UK economy”.

But while a few big fines may focus minds on cyber security, it won’t shake free the money to fund it.